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What is claimed is: 



1 

1 . A wide area network using the internet as a backbone, comprising: 


2 

a first dedicated line coupled to a first participating ISX/ISP provider of 


3 

internet access; 


4 

a source router having a channel service unit having an output coupled to said 


5 

first dedicated line; 


6 

a source firewall circuit having a first port for coupling directly or through 


7 

a local area network to a first device for which communication over said wide area 


8 

network (hereafter WAN) is desired, and having a WAN interface coupled to said 


9 

source router directly or through a local area network, said source firewall 


1 0 

functioning to encrypt the payloads of downstream WAN packets being transmitted 

'Ad 

i 13' ■ 

1 1 

via the WAN interface to said source router using any encryption method having a 

CP 

1 2 

user definable key or keys, and for decrypting the payloads of any incoming upstream 

i \\ 

■s's 

1 3 

WAN packets arriving from said source router via said WAN interface using the same 

□ 

1 4 

encryption method and user definable key or keys that were used to encrypt the 


1 5 

outgoing WAN packets; 


1 6 

one or more routers of other participating ISX/ISP providers of internet 

st— 

xl 

1 7 

services including a router at an endpoint participating ISX/ISP provider, said 

I" 4 

1 8 

routers functioning to implement a predetermined private tunnel data path coupling 


1 9 

a router of said first ISX/ISP to a router of said endpoint participating ISX/ISP 


20 

provider through said routers of said participating ISX/ISP providers; 


21 

a destination router including a channel service unit coupled to or part of said 


22 

destination router, said destination router coupled through said channel service unit 


O 

and a <?prnnri dedicated line to said router of said endooint ISX/ISP Drovider* 


24 

a destination firewall circuit having a WAN interface coupled to said 


25 

destination router directly or through a local area network and having a second port 


26 

for coupling directly or through a local area network to a device for which 


27 

communication across said wide area network is desired, said firewall functioning to 


28 

encrypt the payloads of upstream WAN packets being transmitted through said WAN 


29 

interface to said destination router for transmission to said source router via said 


30 

private tunnel using the same encryption method used by said source firewall and the 
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3 1 same user definable key or keys used by said source firewall circuit, and for 

3 2 decrypting any incoming packets from said source router arriving from said 

3 3 endpoint participating ISX/ISP provider using the same encryption protocol used by 

3 4 said source firewall and the same user definable key or keys used by said source 

3 5 firewall circuit and transmitting the decrypted packets to said second device. 


1 2. A process for launching downstream AlterWAN packets addressed to an AlterWAN 

2 destination into a private tunnel coupling two AlterWAN destinations using the internet as a 

3 backbone and for launching non-AlterWAN packets into a normal internet traffic routing 

4 data path, comprising the steps: 

5 receiving at a source firewall an incoming downstream wide area network 

6 packet from a workstation or other device at a first customer location said incoming 

'A3 

, It 7 downstream wide area network packet being either addressed to an AlterWAN 

8 destination or not an AlterWAN packet; 

|y 9 at said source firewall, using the destination address in said incoming 

{ 3 1 0 downstream wide area network packet to determine if said packet is addressed to an 

]= 1 1 AlterWAN destination coupled to said source firewall by a private tunnel using the 

11 1 2 internet as a backbone (hereafter referred to as an AlterWAN packet) or is addressed 

S.l 1 3 to some non- AlterWAN website or location on the internet (hereafter referred to as a 

1 4 non-AlterWAN packet); 

Q 1 5 if said packet is an AlterWAN packet, encrypting at said source firewall the 

m 1 6 payload portion thereof and forwarding the encrypted AlterWAN packet to a source 

1 7 router; 

1 8 if said packet is a non-AlterWAN packet, at said source firewall, forwarding 

1 9 said non-AlterWAN packet to said source router without encrypting the payload 

2 0 portion thereof; 

2 1 at said source router, converting both said AlterWAN packets and said non- 

2 2 AlterWAN packets into signals suitable for transmission on a dedicated telephone line 

2 3 or other transmission medium coupling said source router to a specially selected 

2 4 first ISX/ISP provider and transmitting said signals to said specially selected 

2 5 ISX/ISP provider, said specially selected ISX/ISP provider being selected either 

2 6 because their routing tables are such that AlterWAN packets will naturally be routed 
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2 7 along high bandwidth, low hop-count data paths to the next ISX/ISP provider in said 

2 8 virtual private network or because the routing tables of the router of said first 

2 9 ISX/ISP provider have been altered to insure that AlterWAN packets get routed along 

3 0 high bandwidth, low hop-count data paths to the next ISX/ISP provider along said 
3 1 private tunnel. 

1 3. An apparatus comprising: 

2 a dedicated data path for coupling to a specially selected first participating 

3 ISX/ISP provider of internet access; 

4 a firewall circuit having a first port for coupling directly or through a local 

5 area network to one or more devices for which communication over a wide area 

6 network using the internet as a backbone is desired, and having a second port, said 


;p 7 firewall functioning to to use the destination addresses in the headers of each packet 


8 received from said one or more devices to distinguish between AlterWAN packets 


Ijj 9 which are packets addressed to destination devices coupled to said firewall circuit via 

1 0 a private tunnel through the internet, and conventional packets which are packets not 

; ]~ 1 1 addressed to destination devices coupled to said firewall circuit via a private tunnel 

^ 1 2 through the internet, said firewall circuit functioning to encrypt the payloads of 

%} 1 3 outgoing AlterWAN packets using one or more predetermined keys and an encryption 

Jj* 1 4 algorithem, and sending said encrypted AlterWAN packets to said source router via 

1 5 said second port, and functioning to forward any conventional packets to said source 

l, A 1 6 router, and functioning to decrypt any incoming AlterWAN packets arriving from 

1 7 said source router using the the same encryption algorithms and one or more 

1 8 predetermined keys which were used to encrypt the packets at the location from 

1 9 which they were sent; 

2 0 a source router having an input coupled to said second port of said firewall 
2 1 circuit either directly or by a local area network connection, and having a channel 

2 2 service unit having an output coupled to said dedicated data path, said channel service 

2 3 unit functioning to convert digital data packets received from said firewall circuit 

2 4 into signals suitable for transmission over whatever type of transmission medium is 

2 5 selected for said dedicated data path, and for converting signals received from said 

2 6 dedicated data path into data packets, said source router for transmitting both 
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2 7 AlterWAN and non-AlterWAN packets over said dedicated data path to said specially 

2 8 selected first participating ISX/ISP provider where AlterWAN packets will be routed 

2 9 via said private tunnel and specially seleted ISX/ISP providers to their destination 

3 0 and non-AlterWAN packets will be routed along paths on the internet other than said 
3 1 private tunnel. 

32 

1 4. A method of designing and implementing a wide area network using the internet as 

2 a backbone, comprising the steps: 



3 

1) selecting source and destination sites that have devices that need to be 


4 

connected by a wide area network; 


5 

2) examining the ISX/ISP internet service providers that exist between said 


6 

source and destination sites and selecting two or more of such ISX/ISP providers 

. !«* 

7 

through which data passing between said source and destination sites will be routed, 

1 i I 

8 

said selection being based upon how many hops the routers at those sites will cause 

9 

packets travelling between said source and destination sites to take and whether the 

a 

C3 

1 0 

average available bandwidth of the data paths along which the packets travelling 


1 1 

between said source and destination sites will travel is substantially greater than the 

C3 

1 2 

worst case bandwidth consumption of traffic between said source and destination 


1 *5 
I O 

sues, 


1 4 

3) coupling a source firewall to the devices at said source site and 

5 

1 5 

configuring said firewall to examine the destination addresses of packets received 


1 6 

from said devices at said source site and encapsulate each packet addressed to any 


1 7 

device at said destination site in an internet protocol packet, hereafter referred to as 


1 8 

an AlterWAN packet, said AlterWAN packet having as its destination address the 


1 9 

address of an untrusted port of a destination firewall at said destination site and 


20 

having the original IP packet as its payload, said source firewall being configured to 


2 1 

encrypt the payload portions of all said AlterWAN packets using a predetermined 


22 

encryption algorithm and one or more encryption keys but not to encapsulate or 


23 

encrypt the payload portions of any packets received from said devices at said source 


24 

site which are not addressed to any device at said destination site, and configuring 


25 

said source firewall to recognize any incoming AlterWAN packets which have as their 


26 

destination addresses the IP address of the untrusted side of said source firewall and 
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27 

to strip off the AlterWAN packet headers and decrypt the payload portion of each said 


28 

AlterWAN packet to recover the original IP packet transmitted from said destination 


29 

site using the same encryption algorithm and the same encryption key or keys used to 


30 

encrypt the payload portions of said AlterWAN packets at said destination site and for 


31 

outputting said recovered the original IP packet to said devices at said source site, 


32 

said source firewall having an untrusted port; 


33 

4) coupling a source router to receive said encrypted and non-encrypted 


34 

packets from said untrusted port of said source firewall and to convert them in a 


35 

channel service unit to signals suitable for transmission over a first dedicated local 


36 

loop connection; 


37 

5) contracting to establish said first dedicated local loop connection between 


38 

the output of said source router at which said signals appear and a first participating 


39 

ISX/ISP provider in the group of ISX/ISP providers selected in step 2; 

0 

40 

6) providing a destination router at said destination site having a channel 

Is ! 

41 

service unit which functions to receive from a second dedicated local loop connection 


42 

downstream signals encoding both encrypted AlterWAN packet and conventional IP 

J* 

43 

packets and converting said signals back into the original digital packet form and 

i lit i 

44 

outputting the recovered downstream packets at a firewall port, and said destination 

•:i=f 

=i. I 

'sJ| 

45 

router configured to receive upstream AlterWAN and conventional packets and 


46 

convert them into signals suitable for transmission on said second dedicated data path 

':)=? 

47 

coupling said destination router to an endpoint participating ISX/ISP provider in the 

l"l 
•:ltr 

48 

group of ISX/ISP providers selected in step 2 and transmitting said signals on said 


49 

second dedicated local loop connection; 


50 

7) contracting to provide a second dedicated local loop connection connecting 


51 

the input of said destination router to said endpoint participating ISX/ISP provider, 


52 

said second dedicated local loop connection having sufficiently high bandwidth to 


53 

handle the worst case traffic volume; 


54 

8) providing a destination firewall having an untrusted port having an IP 


55 

address coupled to said firewall port of said destination router to receive said 


56 

recovered digital packets, and configuring said destination firewall to recognize as 


57 

AlterWAN packets incoming recovered packets having as their destination address the 


58 

IP address of said destination firewall untrusted input port and to strip off the 
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5 9 AlterWAN packet header and decrypt the payload portion of said AlterWAN packet 

6 0 using the same encryption algorithm and encryption key or keys that were used to 
6 1 encrypt the packet at said source firewall, and configuring said destination firewall 

6 2 to output the decrypted packets at an output coupled to devices at said destination site, 

6 3 and configuring said destination firewall to examine the destination addresses of 

6 4 upstream IP packets received from said devices at said destination site and 

6 5 encapsulate each upstream IP packet addressed to any device at said source site in 

6 6 another IP packet, hereafter referred to as an AlterWAN packet, said AlterWAN 

6 7 packet having as its destination address the IP address of an untrusted port of said 

6 8 source firewall at said source site and having the original IP packet as its payload, 

6 9 said destination firewall being configured to encrypt the payload portions of all said 

7 0 AlterWAN packets using a predetermined encryption algorithm and one or more 
7 1 encryption keys but not to encapsulate or encrypt the payload portions of any IP 

"M 

£!i 7 2 packets received from said devices at said destination site which are not addressed to 

7 3 any device at said source site (hereafter referred to as conventional packets), and 

,u% 7 4 said destination firewall configured to transmit said encrypted AlterWAN packets and 

7 5 said conventional packets to said destination router via said untrusted port. 


^1 1 5. A wide area network using the internet as a backbone, comprising: 

2 a first dedicated line coupled to a first participating ISX/ISP provider of 

A 

^ 3 internet access; 

□ 4 a source router having a channel service unit having an output coupled to said 

5 first dedicated line; 

6 a source firewall circuit having a first port for coupling directly or through 

7 a local area network to a first device for which communication over said wide area 

8 network (hereafter WAN) is desired, and having a WAN interface coupled to said 

9 source router directly or through a local area network, said source firewall 

1 0 functioning to encrypt the payloads of downstream WAN packets being transmitted 

1 1 via the WAN interface to said source router using a first encryption method having a 

1 2 first set of user definable keys which may be only one key, and for decrypting the 

1 3 payloads of any incoming upstream WAN packets arriving from said first 

1 4 participating ISX/ISP using a second encryption method which is different than said 
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1 5 first encryption method and a second set of user definable keys which are different 

1 6 than the first set of user definable keys were used to encrypt the downstream WAN 

1 7 packets; 

1 8 one or more routers of other participating ISX/ISP providers of internet 
19 . . services including a router, at an endpoint participating ISX/ISP provider, said 

2 0 routers functioning to implement a predetermined private tunnel data path coupling 
2 1 a router of said first ISX/ISP to a router of said endpoint participating ISX/ISP 

2 2 provider through said routers of said participating ISX/ISP providers; 
2 3 a destination router including a channel service unit coupled to or part of said 

2 4 destination router, said destination router coupled through said channel service unit 

2 5 and a second dedicated line to said router of said endpoint ISX/ISP provider; 
2 6 a destination firewall circuit having a WAN interface coupled to said 

'% 2 7 destination router directly or through a local area network and having a second port 

2 8 for coupling directly or through a local area network to a device for which 

j,j 2 9 communication across said wide area network is desired, said destination firewall 

3 0 functioning to encrypt the payloads of upstream WAN packets being transmitted 

0 

j== 3 1 through said WAN interface to said destination router for transmission to said source 

= 3 2 router via said private tunnel using the same encryption method and user definable 

••^3 3 3 key or keys used by said source firewall to decrypt upstream WAN packets, and for 

3 4 decrypting any incoming downstream WAN packets from said source router arriving 

3 5 from said destination router via the router of said endpoint participating ISX/ISP 

C3 3 6 provider using the same encryption method and encryption key or keys used by said 

3 7 source firewall to encrypt downstream WAN packets and transmitting the decrypted 

3 8 packets to said second device. 
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